Discussing retention policies

Document retention in HR: How to stay compliant in your industry

Document retention is a deceptively complex compliance challenge for HR managers. Topics like health and safety, anti-discrimination and compensation (rightfully) make headlines. While that’s happening, though, the Information Commissioner’s Office (ICO) is busy meting out fines for mishandled data.

The law requires that businesses store and destroy certain HR records on a strict timeline. In most cases, those timelines span several years. Legislation can change, and the onus is on HR staff to evolve their processes as the law does.

Here’s how to stay compliant – and how digitisation turns a full-time job into a ticked box.

Statutory regulation

The government regulates certain documents more strictly than others. Those that fall under data protection law are subject to ‘statutory’ requirements. There are two key regulations to consider if you’re operating in the UK.


You’ve likely heard of the General Data Protection Regulation (GDPR). The Data Protection Act of 2018 (DPA) may be less familiar, but both are designed to enforce best practice when it comes to collecting, managing and disposing of people’s information.

It’s helpful to know the specifics of those regulatory frameworks, but there are a few major takeaways for HR compliance that you must be aware of:

  • Data protection. Any information you collect about your staff must be given with consent. You should only gather it with good reason, and it must be relevant to the associated role or industry.
  • Security. You must subject your data to appropriate security measures for the entire retention period. If your document management system is ISO27001 certified, for example, you’re likely compliant by default.
  • Access to information. Staff can request copies of statutory records at any time, as can regulators.

What’s covered, and for how long?

The CIPD provides a comprehensive guide to the documents covered by statutory regulation. Retention periods range from six months for documents related to whistleblowing, through to at least 50 years for records relating to the Ionising Radiations Regulation. Not all will apply to every business, so it’s worth consulting the list.

Non-statutory retention

For everything else, it is up to the employer what data to gather and how long to keep it for. In some industries (like the public sector) further regulation will define retention periods. For others, though, the answers are less obvious.

Determining what to collect

If there’s no statutory or industry guidance for a particular document, err on the side of caution. Ask yourself:

  • Is this information relevant to the employment of the person in question?
  • Is there any chance that this information will need to be recalled at any point?
  • Who should have access to these documents, and why do they need that access?
  • When and how often will I need to review this document to ensure that it’s still accurate?

The Limitation Act

A good rule of thumb is to take The Limitation Act of 1980 as a rough guide. It’s the legislation that defines the time limit on taking legal action as six years. If an employee wishes to raise a dispute concerning a contract, for example, they’ll need to do it within that six-year window.

As such, it’s best to maintain most records for six years beyond the end of an employee’s contract.

Compliant document retention

Being aware of requirements and recommendations is only half the compliance battle. Adhering to them means auditing, updating, maintaining and destroying a whole company’s worth of documentation.

Responsible (but efficient) data protection

The CIPD recommends relying on a data protection officer. For larger organisations this makes sense. Either way though, while this role reviews and manages best practice, execution still sits with your HR team. Upskilling staff to manage and report on an automated system helps avoid the risk of human error and makes the workload manageable.

An electronic document management system (EDMS) centralises and standardises your HR records. This makes records easier to track. And securing data and managing access is far easier on a centralised on an ISO-certified platform.

With an understanding of regulation and the help of automation, it’s also possible to create compliance workflows that destroy documents on the appropriate timeline.

The importance of organisation

Don't underestimate the value of proper document organisation. Regulations like DPA protect the right of employees to gain access to their records as much as it relates to protecting the data itself.

This makes organised document retention an issue of paramount importance.

While you could eventually find a document in a disorganised retention system, you run the risk of non-compliance if you exceed the 30-day time limit. The quicker you can locate documents, the better.

Adapting to new compliance challenges

Document retention regulations aren’t set in stone. The sudden shift to remote work presented a challenge to East Lothian Council. While they had been able to securely upload records to their EDMS from physical locations, the dispersal of their team during the COVID-19 outbreak made that impossible.

Thanks to their digital record management, we were able to help them adapt to remote uploads without risking compliance.

By adding an upload portal to Therefore (the EDMS we use and implement), we made it possible for council staff to create records from home. Crucially, secure access controls meant that they weren’t risking data integrity in the process.

The UK’s data regulations are set to be reviewed in 2025, and it’s difficult to predict the changes that will arise. As regulations and working circumstances evolve, so must your document retention strategy. Gathering your records on one secure platform and working with a responsive document management partner makes adaptive compliance a far less daunting prospect.

Back to Blog